ci/harden github actions (#412)

* ci: Pin github actions to its commit SHA * ci: Pin github actions to its commit SHA * chore: Pin docker base images * fix: Typo in vet-ci
2025-12-10 00:22:08 -06:00 · 2025-03-23 01:46:25 +05:30 · 2025-03-23 01:46:25 +05:30 · 05e6fbebfd
commit 05e6fbebfd
parent 35b0021569
10 changed files with 42 additions and 27 deletions
--- a/.cursor/mcp.json
+++ b/.cursor/mcp.json
@ -0,0 +1,13 @@
+{
+  "mcpServers": {
+    "pinner-mcp-stdio-server": {
+      "command": "docker",
+      "args": [
+        "run",
+        "--rm",
+        "-i",
+        "ghcr.io/safedep/pinner-mcp:latest"
+      ]
+    }
+  }
+}
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -13,10 +13,10 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Source
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

      - name: Set up Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5
        with:
          go-version: 1.24
          check-latest: true
@ -38,10 +38,10 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Source
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

      - name: Set up Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5
        with:
          go-version: 1.24
          check-latest: true
@ -73,13 +73,13 @@ jobs:
    timeout-minutes: 15
    steps:
    - name: Checkout Source
-      uses: actions/checkout@v3
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

    - name: Setup QEMU
-      uses: docker/setup-qemu-action@v2
+      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3

    - name: Setup Docker Buildx
-      uses: docker/setup-buildx-action@v2
+      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3

    - name: Build Container Image
      run: |
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -39,7 +39,7 @@ jobs:

    steps:
    - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

    - name: Set up Go
      uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34
@ -48,7 +48,7 @@ jobs:
        check-latest: true

    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
@ -63,6 +63,6 @@ jobs:
        go build

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2
      with:
        category: "/language:${{matrix.language}}"
--- a/.github/workflows/container.yml
+++ b/.github/workflows/container.yml
@ -27,23 +27,23 @@ jobs:
      id-token: write

    steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
      with:
        submodules: true
        fetch-depth: 0

    - name: Registry Login
-      uses: docker/login-action@v1
+      uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7
      with:
        registry: ${{ env.REGISTRY }}
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}

    - name: Setup QEMU
-      uses: docker/setup-qemu-action@v2
+      uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7

    - name: Setup Docker Buildx
-      uses: docker/setup-buildx-action@v2
+      uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55

    - name: Build and Push Container Image
      run: |
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@ -16,6 +16,6 @@ jobs:
    timeout-minutes: 15
    steps:
      - name: 'Checkout Repository'
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
      - name: 'Dependency Review'
-        uses: actions/dependency-review-action@v3
+        uses: actions/dependency-review-action@cc4f6536e38d1126c5e3b0683d469a14f23bfea4 # v3
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@ -16,9 +16,9 @@ jobs:
        with:
          go-version: 1.24
          cache: false
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc
        with:
          version: latest
          args: --issues-exit-code=1 --timeout=10m
--- a/.github/workflows/goreleaser.yml
+++ b/.github/workflows/goreleaser.yml
@ -56,7 +56,7 @@ jobs:

      - name: Setup Cache for OSX Cross Compiler Tool Chain
        id: osxcross-cache
-        uses: actions/cache@v3
+        uses: actions/cache@2f8e54208210a422b2efd51efaa6bd6d7ca8920f # v3
        with:
          key: ${{ runner.os }}-osxcross-${{ env.OSX_CROSS_MACOS_SDK_VERSION }}
          path: |
@ -94,7 +94,7 @@ jobs:
      actions: read # To read the workflow path.
      id-token: write # To sign the provenance.
      contents: write # To add assets to a release.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0
    with:
      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
      upload-assets: true
--- a/.github/workflows/secret_scan.yml
+++ b/.github/workflows/secret_scan.yml
@ -13,11 +13,11 @@ jobs:
    timeout-minutes: 30
    steps:
      - name: Checkout Source
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5
        with:
          fetch-depth: '0'
      - name: TruffleHog OSS
-        uses: trufflesecurity/trufflehog@main
+        uses: trufflesecurity/trufflehog@8b6f55b592e46ac44a42dc3e3dee0ebcc0f56df5
        with:
          path: ./
          base: main
--- a/.github/workflows/vet-ci.yml
+++ b/.github/workflows/vet-ci.yml
@ -20,9 +20,9 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

-      - name: Enable Cloud Cloud
+      - name: Enable Cloud Mode
        run: echo "SAFEDEP_CLOUD_MODE=true" >> $GITHUB_ENV

      - name: Override Cloud Mode if Actor is Dependabot
@ -34,7 +34,7 @@ jobs:
        run: echo "SAFEDEP_CLOUD_MODE=false" >> $GITHUB_ENV

      - name: Run vet
-        uses: safedep/vet-action@v1
+        uses: safedep/vet-action@01f547ee95dfd4f8f11fa64b399e5e00f22b0801
        with:
          policy: .github/vet/policy.yml
          cloud: ${{ env.SAFEDEP_CLOUD_MODE }}
--- a/6
+++ b/6
@ -1,4 +1,5 @@
-FROM --platform=$BUILDPLATFORM golang:1.24-bullseye AS build
+FROM --platform=$BUILDPLATFORM golang:1.24-bullseye@sha256:3c669c8fed069d80d199073b806243c4bf79ad117b797b96f18177ad9c521cff AS build
+# Original: golang:1.24-bullseye

 WORKDIR /build

@ -12,7 +13,8 @@ ENV CGO_ENABLED=1

 RUN make quick-vet

-FROM debian:bullseye-slim
+FROM debian:11-slim@sha256:e4b93db6aad977a95aa103917f3de8a2b16ead91cf255c3ccdb300c5d20f3015
+# Original: debian:11-slim

 # Create nonroot user and group with specific IDs
 RUN groupadd -r nonroot --gid=65532 && \